SSL Certificate Error: certificate_unknown

Server Fault Asked by User97693321 on January 1, 2022

I want to create push notification server and while installing SSL certificate and .p12 file in server we are facing the below error: I want to know what is the wrong with ssl certificate because I am getting certificate_unknown error.

main, RECV TLSv1 ALERT:  fatal, certificate_unknown
main, called closeSocket()
main, handling exception: Received fatal alert: certificate_unknown
Error pushing notification(s):
Invalid certificate chain (Received fatal alert: certificate_unknown)!  Verify that the keystore you provided was produced according to specs...
      at javapns.notification.PushNotificationManager.sendNotification(
      at javapns.notification.PushNotificationManager.sendNotification(
      at javapns.notification.PushNotificationManager.sendNotification(
      at javapns.Push.payload(
      at javapns.Push.alert(
      at com.applicationname.pns.PushNotification.main(

//source code

    package com.applicationname.pns;

    import org.json.JSONException;

    import javapns.Push;
    import javapns.devices.Device;
    import javapns.notification.Payload;
    import javapns.notification.PushNotificationManager;
    import javapns.notification.PushNotificationPayload;

    public class PushNotification
        private static final String HOST = "";
        private static final int PORT = 2195;
        private static final int BADGE = 66;
        private static String iPhoneId = "5696ee2fa44c61fd21a7987d2b1bcf57faa1603e63cb57ff204b158fb90d28a3";
        private static String certificate = "D:/./trunk/Development/JavaPNS/src/com/applicationname/pns/privateKey.p12";
        private static String passwd = "password@1234";

         * @param args
        public static void main(String[] args)
            Push.alert("Hello World!", certificate, passwd, false,iPhoneId);

            PushNotificationPayload payLoad = new PushNotificationPayload();

                payLoad.addAlert("Hello World!");
            catch (JSONException e)
                // TODO Auto-generated catch block



3 Answers

I've been hit with this issue a few times but this latest bout I found that my x509 extensions were not complete.

I have a server that needs to be secured but from time to time it also needs to act as a client to other servers. I finally pinpointed the issue down to the X509v3 Extended Key Usage missing the TLS Web Client Authentication extension when my server is acting as a client. I am not entirely sure if this is bad practice but it just happens to be the case that some information is shared between protected servers.

Always check your certificate extensions to verify that they have what is expected.

openssl x509 -in cert.pem -noout -text | less

If you think you're having my issue as well, you'll have to re-emit a new cert with the missing extension.

If you are your own CA, just add the following to your signature operation (or your CSR if copy is enabled) under the extension stanza of your choice (mine is req_both (which is part of my cnf file):

... other extensions
extendedKeyUsage = clientAuth, serverAuth
... more extensions

If you are not a CA then you'll have to initiate a new certificate signing request (CSR) to your certificate provider and either have them copy over your extensions or let them know all the extensions that you need.

Answered by hanzo2001 on January 1, 2022

It is unusual to load the private key as a client request to an SSL socket. I personally think you should be loading the public key. The private key is loaded by the SSL socket on the server side. The only reason you would need the private key is for acting like a server and accepting connections from the other end, but you don't seem to be doing that.

This might explain the "cert in wrong format" message.

In reference to:

private static String certificate = "D:/./trunk/Development/JavaPNS/src/com/applicationname/pns/privateKey.p12"

Answered by djangofan on January 1, 2022

I think the error is pretty self-evident, your certificate chain does not actually verify your certificate properly. Perhaps you are missing one or more of the chaining certs needed to verify your final end cert?

What ever it is, the error gives you the very clear instruction to "Verify that the keystore you provided was produced according to specs...".

There is nothing anyone on this site can possible add other than to read what your error message says and to do it - none of us have crystal balls, nor can we magically fix your problem.

I don't see the point in posting a question where you give us no more information other than a VERY clear error message that tells you exactly what to do. All we can say is "do what the error message says!"

Answered by Bart B on January 1, 2022

Add your own answers!

Ask a Question

Get help from others!

© 2024 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP